NY, US · AI law tracker

S1422 — NY, US

S1422 is an AI governance legislation from NY, currently committee. The proposed S1422 bill requires private entities to implement written policies for biometric data retention and destruction [1]. AIGI tracks 2 primary-source updates on this bill; the most recent was published on 2025-01-09.

Status & timeline

Regulatory stage
committee
Bill status
in committee
Authority / governing body
New York State Senate
Chamber
senate
Document type
legislation

Next deadline: No fixed deadline — bill currently in committee review.

Subscriber only

Full obligation matrix

ActorObligationDeadlineSource
deployerDevelop a written policy establishing a retention schedule for biometric identifiers and biometric information.Upon enactment (specific date not yet determined)
deployerDevelop a written policy establishing guidelines for permanently destroying biometric identifiers and biometric information.Upon enactment (specific date not yet determined)
deployerPermanently destroy biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied.Ongoing, based on purpose fulfillment
deployerPermanently destroy biometric identifiers and biometric information within three years of the individual's last interaction with the private entity, if earlier than purpose satisfaction.Ongoing, within three years of last interaction

Subscriber only

Enforcement risk score

25
/ 100

Announced regulation; enforcement footprint still forming.

Subscriber only

Role-based compliance checklist

  • general_counsel Review the full text of the Biometric Privacy Act once enacted to understand final legal obligations. (Upon enactment)
  • compliance_officer Draft or update an internal written policy for the retention and permanent destruction of all biometric identifiers and information. (Upon enactment)
  • cto Assess current systems for collecting, storing, and processing biometric data to ensure compliance with destruction requirements. (Upon enactment)
  • data_scientist Implement technical solutions to ensure permanent and verifiable destruction of biometric data according to the retention schedule. (Upon enactment)
  • hr_director Update employee privacy notices and internal policies to reflect biometric data handling, particularly if employee biometrics are collected. (Upon enactment)

Subscriber only

Vendor impact assessment

Vendor risk class
high
Procurement categories
security_tooling, hr_tech, other

Vendors providing biometric identification, access control, or time-tracking systems must demonstrate robust capabilities for managing data retention and permanent destruction in line with client-specific policies and legal mandates.

Sample vendor questions

  1. Do your products or services collect, store, or process biometric data for our organization?
  2. What mechanisms are in place for the permanent destruction of biometric data, and can they be aligned with specific retention schedules?
  3. How do your products facilitate compliance with a 'purpose fulfilled' or 'three-year last interaction' data destruction mandate?
  4. Can your systems provide audit trails for biometric data destruction events?
  5. What data processing agreements or contractual clauses do you offer to ensure compliance with biometric privacy acts?

Intelligence briefs (2)

legislation in_committee 1/9/2025

NY S1422: Biometric Privacy Act Introduces Data Retention & Destruction Rules

The proposed S1422 mandates private entities in New York to establish written biometric data retention and destruction policies [2].

This development signals a growing focus on data lifecycle management and privacy obligations for AI systems processing biometric data in New York.

Deadline: No fixed deadline — current status is in Senate committee.

Primary source →

Frequently asked questions

What is S1422?
The New York State Senate has introduced S1422, the Biometric Privacy Act, to establish requirements for private entities handling biometric identifiers and information [1]. This bill mandates the development of a written policy detailing data retention schedules and secure destruction guidelines. Biometric data must be permanently destroyed when its initial purpose is met or within three years of an individual's last interaction, whichever comes first [2]. Primary source →
Why does S1422 matter?
This proposal introduces a new compliance burden for organizations utilizing biometric identification systems in New York. Primary source →
Who does S1422 affect?
Organizations operating in New York State that collect, store, or otherwise process biometric identifiers or biometric information are within scope of this proposed legislation. This primarily includes private entities utilizing biometric identification systems for purposes such as access control, employee timekeeping, customer authentication, or any other application involving unique biological data. This development specifically impacts business functions across human resources, security operations, customer service, and data privacy compliance teams responsible for governance and risk management. Primary source →
What are the key dates for S1422?
No fixed deadline — bill currently in committee review. Primary source →
What is the current status of S1422?
As of the last published update, S1422 is at the "committee" stage, with bill status "in committee". Primary source →
Where can I find the primary source for S1422?
The primary source for the most recent update is at https://legislation.nysenate.gov/bills/2025/S1422. AIGI publishes the full citation chain plus every approved brief on this bill. Primary source →

Related

Stay informed

Get briefs on every AI law, every morning.

Start 14-day trial →